(feat): [Boxcutter] Use ClusterExtension ServiceAccount for revision operations

Implement serviceAccount-scoped token-based authentication for
ClusterExtensionRevision controller using annotation-based configuration.

- Add RevisionEngineFactory with CreateRevisionEngine(ctx, rev) interface
- Read ServiceAccount from annotations (no ClusterExtension dependency)
- Token-based auth using TokenInjectingRoundTripper
- ServiceAccount name and namespace in annotations for observability
- TrackingCache uses global client for caching/cleanup
- Comprehensive error path tests

ClusterExtensionRevision can exist independently.
Easy mode impersonation deferred until API is finalized.

Assisted-by: Cursor

Author: camilamacedo86

cmd/operator-controller/main.go

@@ -42,10 +42,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
-	"pkg.package-operator.run/boxcutter/machinery"
 	"pkg.package-operator.run/boxcutter/managedcache"
-	"pkg.package-operator.run/boxcutter/ownerhandling"
-	"pkg.package-operator.run/boxcutter/validation"
 	ctrl "sigs.k8s.io/controller-runtime"
 	crcache "sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
@@ -653,21 +650,26 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 		return fmt.Errorf("unable to add tracking cache to manager: %v", err)
 	}
 
+	cerCoreClient, err := corev1client.NewForConfig(c.mgr.GetConfig())
+	if err != nil {
+		return fmt.Errorf("unable to create client for ClusterExtensionRevision controller: %w", err)
+	}
+	cerTokenGetter := authentication.NewTokenGetter(cerCoreClient, authentication.WithExpirationDuration(1*time.Hour))
+
+	revisionEngineFactory := controllers.NewDefaultRevisionEngineFactory(
+		c.mgr.GetScheme(),
+		trackingCache,
+		discoveryClient,
+		c.mgr.GetRESTMapper(),
+		fieldOwnerPrefix,
+		c.mgr.GetConfig(),
+		cerTokenGetter,
+	)
+
 	if err = (&controllers.ClusterExtensionRevisionReconciler{
-		Client: c.mgr.GetClient(),
-		RevisionEngine: machinery.NewRevisionEngine(
-			machinery.NewPhaseEngine(
-				machinery.NewObjectEngine(
-					c.mgr.GetScheme(), trackingCache, c.mgr.GetClient(),
-					ownerhandling.NewNative(c.mgr.GetScheme()),
-					machinery.NewComparator(ownerhandling.NewNative(c.mgr.GetScheme()), discoveryClient, c.mgr.GetScheme(), fieldOwnerPrefix),
-					fieldOwnerPrefix, fieldOwnerPrefix,
-				),
-				validation.NewClusterPhaseValidator(c.mgr.GetRESTMapper(), c.mgr.GetClient()),
-			),
-			validation.NewRevisionValidator(), c.mgr.GetClient(),
-		),
-		TrackingCache: trackingCache,
+		Client:                c.mgr.GetClient(),
+		RevisionEngineFactory: revisionEngineFactory,
+		TrackingCache:         trackingCache,
 	}).SetupWithManager(c.mgr); err != nil {
 		return fmt.Errorf("unable to setup ClusterExtensionRevision controller: %w", err)
 	}

internal/operator-controller/applier/boxcutter.go

@@ -186,6 +186,12 @@ func (r *SimpleRevisionGenerator) buildClusterExtensionRevision(
 	ext *ocv1.ClusterExtension,
 	annotations map[string]string,
 ) *ocv1.ClusterExtensionRevision {
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+	annotations[labels.ServiceAccountNameKey] = ext.Spec.ServiceAccount.Name
+	annotations[labels.ServiceAccountNamespaceKey] = ext.Spec.Namespace
+
 	return &ocv1.ClusterExtensionRevision{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations: annotations,

internal/operator-controller/applier/boxcutter_test.go

@@ -66,6 +66,12 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T)
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-123",
 		},
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace: "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: "test-sa",
+			},
+		},
 	}
 
 	objectLabels := map[string]string{
@@ -79,10 +85,12 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T)
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-123-1",
 			Annotations: map[string]string{
-				"olm.operatorframework.io/bundle-name":      "my-bundle",
-				"olm.operatorframework.io/bundle-reference": "bundle-ref",
-				"olm.operatorframework.io/bundle-version":   "1.2.0",
-				"olm.operatorframework.io/package-name":     "my-package",
+				"olm.operatorframework.io/bundle-name":               "my-bundle",
+				"olm.operatorframework.io/bundle-reference":          "bundle-ref",
+				"olm.operatorframework.io/bundle-version":            "1.2.0",
+				"olm.operatorframework.io/package-name":              "my-package",
+				"olm.operatorframework.io/service-account-name":      "test-sa",
+				"olm.operatorframework.io/service-account-namespace": "test-namespace",
 			},
 			Labels: map[string]string{
 				labels.OwnerNameKey: "test-123",
@@ -172,6 +180,12 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-extension",
 		},
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace: "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: "test-sa",
+			},
+		},
 	}
 
 	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, ext, map[string]string{}, map[string]string{})
@@ -291,7 +305,12 @@ func Test_SimpleRevisionGenerator_AppliesObjectLabelsAndRevisionAnnotations(t *t
 		"other": "value",
 	}
 
-	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{}, map[string]string{
+	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace:      "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{Name: "test-sa"},
+		},
+	}, map[string]string{
 		"some": "value",
 	}, revAnnotations)
 	require.NoError(t, err)
@@ -319,7 +338,12 @@ func Test_SimpleRevisionGenerator_Failure(t *testing.T) {
 		ManifestProvider: r,
 	}
 
-	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{}, map[string]string{}, map[string]string{})
+	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace:      "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{Name: "test-sa"},
+		},
+	}, map[string]string{}, map[string]string{})
 	require.Nil(t, rev)
 	t.Log("by checking rendering errors are propagated")
 	require.Error(t, err)

internal/operator-controller/controllers/clusterextensionrevision_controller.go

@@ -43,9 +43,9 @@ const (
 // ClusterExtensionRevisionReconciler actions individual snapshots of ClusterExtensions,
 // as part of the boxcutter integration.
 type ClusterExtensionRevisionReconciler struct {
-	Client         client.Client
-	RevisionEngine RevisionEngine
-	TrackingCache  trackingCache
+	Client                client.Client
+	RevisionEngineFactory RevisionEngineFactory
+	TrackingCache         trackingCache
 }
 
 type trackingCache interface {
@@ -60,6 +60,11 @@ type RevisionEngine interface {
 	Reconcile(ctx context.Context, rev machinerytypes.Revision, opts ...machinerytypes.RevisionReconcileOption) (machinery.RevisionResult, error)
 }
 
+// RevisionEngineFactory creates a RevisionEngine for a ClusterExtensionRevision.
+type RevisionEngineFactory interface {
+	CreateRevisionEngine(ctx context.Context, rev *ocv1.ClusterExtensionRevision) (RevisionEngine, error)
+}
+
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions,verbs=get;list;watch;update;patch;create;delete
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/status,verbs=update;patch
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/finalizers,verbs=update
@@ -139,7 +144,13 @@ func (c *ClusterExtensionRevisionReconciler) reconcile(ctx context.Context, rev
 		return ctrl.Result{}, werr
 	}
 
-	rres, err := c.RevisionEngine.Reconcile(ctx, *revision, opts...)
+	revisionEngine, err := c.RevisionEngineFactory.CreateRevisionEngine(ctx, rev)
+	if err != nil {
+		setRetryingConditions(rev, err.Error())
+		return ctrl.Result{}, fmt.Errorf("failed to create revision engine: %v", err)
+	}
+
+	rres, err := revisionEngine.Reconcile(ctx, *revision, opts...)
 	if err != nil {
 		if rres != nil {
 			// Log detailed reconcile reports only in debug mode (V(1)) to reduce verbosity.
@@ -253,7 +264,13 @@ func (c *ClusterExtensionRevisionReconciler) reconcile(ctx context.Context, rev
 func (c *ClusterExtensionRevisionReconciler) teardown(ctx context.Context, rev *ocv1.ClusterExtensionRevision, revision *boxcutter.Revision) (ctrl.Result, error) {
 	l := log.FromContext(ctx)
 
-	tres, err := c.RevisionEngine.Teardown(ctx, *revision)
+	revisionEngine, err := c.RevisionEngineFactory.CreateRevisionEngine(ctx, rev)
+	if err != nil {
+		markAsAvailableUnknown(rev, ocv1.ClusterExtensionRevisionReasonReconciling, err.Error())
+		return ctrl.Result{}, fmt.Errorf("failed to create revision engine for teardown: %v", err)
+	}
+
+	tres, err := revisionEngine.Teardown(ctx, *revision)
 	if err != nil {
 		if tres != nil {
 			l.V(1).Info("teardown failure report", "report", tres.String())